Checking the file system tree

Edit online

Whenever you suspect the integrity of the system might have been compromised, run the tcbck command to check the file system tree.

To check the file system tree, type:

tcbck -t tree

When the tcbck command is used with the tree value, all files on the system are checked for correct installation (this could take a long time). If the tcbck command discovers any files that are potential threats to system security, you can alter the suspected file to remove the offending attributes. In addition, the following checks are performed on all other files in the file system:

If the file owner is root and the file has the SetUID bit set, the SetUID bit is cleared.
If the file group is an administrative group, the file is executable, and the file has the SetGID bit set, the SetGID bit is cleared.
If the file has the tcb attribute set, this attribute is cleared.
If the file is a device (character or block special file), it is removed.
If the file is an additional link to a path name described in /etc/security/sysck.cfg file, the link is removed.
If the file is an additional symbolic link to a path name described in /etc/security/sysck.cfg file, the symbolic link is removed.

Note: All device entries must have been added to the /etc/security/sysck.cfg file prior to execution of the tcbck command or the system is rendered unusable. To add trusted devices to the /etc/security/sysck.cfg file, use the -l flag.

Attention: Do not run the tcbck -y tree command option. This option deletes and disables devices that are not properly listed in the TCB, and might disable your system.